Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in stbi__load_main at stb_image.h:5580 #109

Closed
SuhwanSong opened this issue Dec 12, 2019 · 3 comments
Closed

heap-buffer-overflow in stbi__load_main at stb_image.h:5580 #109

SuhwanSong opened this issue Dec 12, 2019 · 3 comments

Comments

@SuhwanSong
Copy link

version : img2sixel 1.8.2

There is a heap-buffer-overflow in stbi__load_main at stb_image.h:5580
please run following cmd to reproduce it.

img2sixel --monochrome $PoC

poc
ASAN LOG

==9030==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000004df1 at pc 0x0000004d90f2 bp 0x7ffc27974b30 sp 0x7ffc279742e0
READ of size 3 at 0x602000004df1 thread T0
    #0 0x4d90f1 in __asan_memcpy (/home/tmp/img2sixel+0x4d90f1)
    #1 0x7f3daf9e5623 in stbi__load_main /home/tmp/libsixel/src/./stb_image.h:5580:31
    #2 0x7f3daf938f1b in stbi__load_and_postprocess_8bit /home/tmp/libsixel/src/./stb_image.h:1090:19
    #3 0x7f3daf9877e7 in load_with_builtin /home/tmp/libsixel/src/loader.c:882:25
    #4 0x7f3daf9877e7 in sixel_helper_load_image_file /home/tmp/libsixel/src/loader.c:1352
    #5 0x7f3dafbd0d4f in sixel_encoder_encode /home/tmp/libsixel/src/encoder.c:1737:14
    #6 0x51787f in main /home/tmp/libsixel/converters/img2sixel.c:457:22
    #7 0x7f3dadf33b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #8 0x41a379 in _start (/home/tmp/img2sixel+0x41a379)

0x602000004df1 is located 0 bytes to the right of 1-byte region [0x602000004df0,0x602000004df1)
allocated by thread T0 here:
    #0 0x4da230 in __interceptor_malloc (/home/tmp/img2sixel+0x4da230)
    #1 0x7f3daf9e205a in stbi_malloc /home/tmp/libsixel/src/loader.c:76:12
    #2 0x7f3daf9e205a in stbi__malloc /home/tmp/libsixel/src/./stb_image.h:859
    #3 0x7f3daf9e205a in stbi__malloc_mad2 /home/tmp/libsixel/src/./stb_image.h:920
    #4 0x7f3daf9e205a in stbi__tga_load /home/tmp/libsixel/src/./stb_image.h:5527
    #5 0x7f3daf9e205a in stbi__load_main /home/tmp/libsixel/src/./stb_image.h:1011
    #6 0x7f3daf938f1b in stbi__load_and_postprocess_8bit /home/tmp/libsixel/src/./stb_image.h:1090:19
    #7 0x7f3daf9877e7 in load_with_builtin /home/tmp/libsixel/src/loader.c:882:25
    #8 0x7f3daf9877e7 in sixel_helper_load_image_file /home/tmp/libsixel/src/loader.c:1352
    #9 0x7f3dafbd0d4f in sixel_encoder_encode /home/tmp/libsixel/src/encoder.c:1737:14
    #10 0x51787f in main /home/tmp/libsixel/converters/img2sixel.c:457:22
    #11 0x7f3dadf33b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/tmp/img2sixel+0x4d90f1) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c047fff8960: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8970: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8980: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8990: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff89a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c047fff89b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa[01]fa
  0x0c047fff89c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff89e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9030==ABORTING
@carnil
Copy link

carnil commented Dec 13, 2019
edited
Loading

CVE-2019-19777 has been assigned to this issue.

@saitoha
Copy link
Owner

saitoha commented Dec 17, 2019

This problem is fixed on v1.8.3, with d6e34fc. Thanks.

@saitoha saitoha closed this as completed Dec 17, 2019
@gutiniao
Copy link

CVE-2019-19777 has been sassigned to this issue.

Hello, I have some problems about cve sassigning. I submit some issues on CVE website.but i still don't recieve any reply about the issues after i got the request ID. If you known some reasons,you can send email to me([email protected]).
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@carnil @saitoha @SuhwanSong @gutiniao